The best way of Operation System/Service/Network Hardening

The goal of this process is providing more security to the IT infrastructure, but in the process of hardening, sometimes there are some items in the checklists, that can put the availability of our system in jeopardy.
A brief google search, shows there are tons of hardening checklist and documents, but I want to know the hardening process of Its infrastructure has a framework or standard or it is best-practice and When will we be sure that what we have done is good enough?

Hardening ASP.NET against session fixation: Should I change the session ID despite the additional Auth cookie?


Situation

I am the responsible developer for an ASP.NET application that uses the “Membership” (username and password) authentication scheme. I am presented with the following report from a WebInspect scan:

WebInspect has found a session fixation vulnerability on the site. Session fixation allows an attacker to impersonate a user by abusing an authenticated session ID (SID).

Reproduction

I tried to reproduce the typical attack, using the guide on OWASP:

  1. I retrieve the login page. When inspecting the cookies with Google Chrome’s Developer Tools (F12), I get:

    • ASP.NET_SessionId w4bce3a0e5j4fmxj3b0lqkw2
  2. After authentication on the login page, I get an additional

    • .ASPXAUTH F0B9C00FC624E3F2C0CD2EC9E5EF7D10D91A6D62A26BAEE67A38D0608198750A2428E1F5D7278DCE6312C32EE2788D6C79E8112EA35B2397DB84FBB2BE1DBDA815A304B12505D2B786B00038B1EB0BE854DBDAF13072AFEDB3A21E36A7BCD7CD0032A0BCE8E90ECEAFA5FF487D6D2E2C

    • while the session cookie stays the same (as preconditioned for a session fixation attack)

  3. Attack: However, if steal/make up and fix only the ASP.NET_SessionId and inject it into another browser, the request is not authenticated. It is authenticated only after also stealing the .ASPXAUTH cookie, which is only available AFTER login.

Conclusion

I come to the following conclusion:

While the typical precondition for a session fixation attack is met (non-changing session id), an attack will fail because of the missing, required additional .ASPXAUTH cookie, provided only AFTER successful authentication.

Question

So, should I really change the session cookie after login? Will this only satisfy the WebInspect scan or is there a real value here?

Note: I am very likely having the exact scenario as in Session Fixation: A token and an id, but I am not asking whether it is vulnerable, but what I should do with regards to the report.

Hardening Windows

As Title: How to Harden Windows? here are some ways I’ve learned:

  • Antivirus
  • Good password(s)
  • Caution with mails, suspicious files, etc.

  • Disable unnecessary services (SMB, RDP, PRINT, SPOOLS, …)

  • Encryption(disk)

  • VM(s) for testing malicious files/executable (or browsing a insecure site) -with malware forensic analysis (basic) (like PE studio)

  • using tools like: snort, Wire shark, Smart card(s), Bio-metrics(finger print, voice & face recognition)

Any Answer(s) (Long or Short!), or even URLS as answers- are GREATLY appreciated! Thanks!

Hardening VM for Malware Analysis

Dear Security Experts,

I starting out in Malware Research / Malware Analysis. I am reading a book Practical Guide to Malware Analysis, which touches this in 2nd chapter, before approaching Dynamical Analysis (malware detonation). However, it mentions 2 options for Virtualization approach.

  1. One is to set Network Adapter to Host-Only. That way it should isolate VM from Network, but still have access to it via Host – not sure though how that works though.

  2. They mention a multi VM setup where one VM is set for Services and other for Analysis and both are joined to same Custom VMNet.

My problem is that there are no step-by-step instructions on how to do this, so I am hopping to get answers here. My most curious questions is: Is setting Network Adapter to Host-Only the only thing to do to isolate the VM for Malware Analysis? Because many sites I googled mention just this (and also taking snapshots etc.).

Thanks.

CIS hardening of alpine based docker container

I’ve got a service running inside a docker container. I’ve built my own image based on nginx:stable-alpine docker image.

I am trying to ascertain whether the concept of CIS hardening applies to the container itself or just the host OS where the container is running. (I am not interested in the host itself as that is already CIS hardened by the hosting provider)

Had a couple of suggestions such as https://github.com/docker/docker-bench-security and https://github.com/dev-sec/cis-docker-benchmark but these again only seem to apply to the Host OS where docker is running. the nginx alpine image does for example contain some sample confs and html which should be removed according to CIS hardening rules.

Are there any scripts or tools i can run that can report on whether there are other aspects of the container that need to be hardened in the Dockerfile to ensure the container is CIS compliant? ideally i’d like to avoid having to prove every point in the CIS hardening spec manually. I have found this but its 3 years old script and i cant be confident that its maintained.

Debian 9 file system CIS-CAT hardening issues

I’m performing a CIS-CAT scan and I’m questioning the results of the scanner being poorly designed. Now I am running on Debian 9 which isn’t officially supported by the scanner but I can get it to run and I’ve implemented 95% of their requirements and can successfully scan using the following command:

sudo ./CIS-CAT.sh -f -D ignore.platform.mismatch=true -D include.csv.remediation=true -csv 

/bin has permissions of drwxr-x–x and they want me to remove execute for other, however if I "chmod o-x /bin" then a regular user cannot execute standard commands like "ls" Is there a different approach to this?

Same thing with the following: /dev /var/cache/man /run/systemd /run/dbus /run/sshd 

which have permissions of drwxr-xr-x. CIS-CAT wants me to remove other read and execute but it’s permissions get reset on reboot.